March 4, 2013

20-20 Hindsight at the Big Top

RSA USA 2013 wrapped up last week and it had all the usual hallmarks of a modern security conference: storm troopers, casinos, free giveaways every few minutes, hawkers with headsets (much like the county fair), models in superhero costumes, attendees vying to collect the most free goodies, and of course the indispensable straight-jacketed unicycle-riding pitchmen.  The buzzwords this year included "Big Data", "Mobile Security" and "Security Analytics", not that there was any clear consensus about what those terms exactly meant or whether the solutions being peddled bore any resemblance to them.  For those with experience attending past conferences, it was just par for the course.

Outside of the circus tent, the high-profile hacks of major companies and web properties figured prominently in most presentations.  This wasn't the usual FUD, either - even our conservative fellow researchers and technical presenters proclaimed that the bad guys had gained the upper hand, especially for the most sophisticated malware attacks from state-sponsored actors and financially-motivated cartels.  The technology put forth this year by the security industry in response was a little surprising, however.  Doubling down on the premise that "if the bad guys really want to get in, they will", the emerging technology trend implied that it's better to react quickly after you're compromised rather than be under silent attack for months or even years like so many of the 2012-2013 examples have indicated.   There were over 11 different vendors that had created a behavioral sandbox (much like our ThreatScope) to examine the behavior of malware already in the environment.  There were at least 7 vendors that had created workflow tools to allow practitioners to record and investigate security events after the breach.  A few security vendors were touting their new-and-improved capabilities at repair and remediation.  One even declared that we now live in a "post-protection world."  They all made for some fairly impressive demonstrations with all of those nifty post-breach attack details.

What was in short supply this year was an answer for why we were all there (in theory): "How do we stop the attacks?"  Where was the innovation around protection?   Protecting data from skilled attackers with newly crafted attacks designed to bypass existing security controls is indeed a hard enough task.  Now try adding in coverage for all the holes in emerging endpoints, mobility, and social web domains, and doing so inline, with low false positives and high performance.  Now try to figure out how to independently prove that all of this stuff works.  It's a mammoth undertaking, and the unanimous consensus was that existing measures are not getting the job done.  Why not focus on THAT problem?

There were exceptions to this trend.  In addition to our own Chris Astacio's standing-room-only talk on mass mobile attacks and Blackhole botnet dissection, Tomer Teller had some concrete insights into "Detecting the 1%" and Ed Skoutis presented CyberCity as a real-world model of how to pentest and ultimately protect infrastructure from physical attack.  There were other examples as well, but far too few.  

We've got to buck this trend and get back to basics - focus on stopping the attacks before they do harm or steal information.  True, we may never get it perfect, but we can certainly do a lot better.  It's all well and good to put lots of 20-20 hindsight and forensics around an attack, but we would all prefer the deafening silence of a prevented attack over a decidedly louder postmortem of a successful data breach in all its glorious new detail.  

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.